The update comes with fixes to better language, smart card ServerBackup, Profile Manager, opendirectoryd/directory images, file sharing and support for a number of other aspects of the OS. Some specific aspects include disconnecting specific users w/ Server.app, more ACL information in Server.app, setting login greetings, etc.

The client update and available information is available at OS X Lion Update 10.7.3 (Client)

The client combo update and available information is available at OS X Lion Update 10.7.3 (Client Combo)

The server update is available at OS X Lion Update 10.7.3 (Server)

The server combo update is available at OS X Lion Update 10.7.3 (Server) Combo

The Server Admin Tools are available at Server Admin Tools 10.7.3

Also, ARD has been revved up to 3.5.2. It is available at Apple Remote Desktop 3.5.2 Client

Also, of note, AirPort Utility also got an update yesterday. It is available at AirPort Utility 6.0 for Mac OS X Lion

However, even though the App Store and Software Update Server in Mac OS X Server make things easier, there’s no simple way to download things once and distribute the downloaded files to multiple machines for items purchased on the App Store. When large updates come out (such as a new version of iOS), you’re essentially downloading huge amounts of data to each and every machine, and if machines are set to automatically download updates, you could even have a large number of them downloading simultaneously.

Of course you can run your own Software Update service in Mac OS X Server, but this requires that every client machine be configured to use the local server. This works well for machines under your control, but for all those people who bring in their own laptops this doesn’t help.

What’s worse is that there’s currently no way whatsoever to run a Software Update-like service for App Store purchases. Imagine if you have a lab of dozens or hundreds of Macs with Final Cut X or iPads (or iPhones, iPod Touches, whatever comes out next with iMovie or ). Any time there’s an update you’re potentially downloading over a gigabyte per machine in the case of Final Cut X or 70 megabytes or so in the case of iMovie. That can easily add up to a tremendous amount of traffic and the congestion, complaints and headaches which go with it..

What’s needed is an easy way to cache App Store downloads. While we’re at it, it would also be nice to transparently have machines use our own Software Update server. Let’s be even a little more ambitious and do this without needing Mac OS X Server. Aw, heck – let’s make it work on any reasonably Unix-like OS.

So how do we do this? The App Stores and Software Update services use http for fetching files. So what we need to do is to capture those http requests and either redirect them to a local store of Software Update files or locally cached App Store files.

Just as an aside, it’d be tremendously difficult to create a local store of App Store files if for no other reason than the fact that there are currently more than half a million applications. Add to this the rate at which updates become available and your machine would probably never be finished attempting to download all of the applications! Considering this, we’re looking at running Apache and squid on our Unix-like machine and doing a little redirection magic on whatever device does NAT or routes for us.

Note: There’s no reason that the same machine can’t do both NAT/routing and Apache/squid, although in most environments we are assuming that the machine would simply be a proxy for Mac or iOS-based devices. To make this example end-to-end though, we’ll run the router on the host.

Our example uses a Mac OS X (non-Server) machine running Leopard which is doing both NAT and running our Apache and squid software. We’re simply using the Internet Sharing service, the public network interface is en0 (which we don’t use anywhere) and the interface which will serve our iOS and Apple clients is en1 and has the address 10.0.2.1.

Everyone has their own favorite way of installing software on Unix-like OSes and a discussion about which is best and why would certainly be outside the scope of this article. In these examples we’re using NetBSD’s pkgsrc for no other reason than the fact that it will compile packages from source with a base directory which is easily configurable (feel free to use ports or some other automated tool according to what platform you are using). Get pkgsrc (usually via cvs; we’ll assume it’s put into /usr which can be as simple as:

cd /usr ; setenv CVSROOT :pserver:anoncvs@anoncvs.netbsd.org:/cvsroot ; cvs checkout -P pkgsrc

And then run /usr/pkgsrc/bootstrap/bootstrap like so:

cd /usr/pkgsrc/bootstrap/
./bootstrap --prefix /usr/local --pkgdbdir /usr/local/var/db/pkg --sysconfdir /usr/local/etc --varbase /usr/local/var --ignore-case-check

This puts all files into /usr/local including logs and configuration files, so keeping your system clean is simple and keeping track of the differences between built-in and pkgsrc software is easy. Next, install pkgsrc’s www/squid and www/apache (and net/wget if your Unix doesn’t already have it):

cd /usr/pkgsrc/www/squid
bmake update
cd /usr/pkgsrc/www/apache22
bmake update
cd /usr/pkgsrc/net/wget
bmake update

Note that on systems like Mac OS X which come with GNU make by default, that pkgsrc uses bmake; if you have BSD make already, just use make. Another note is that /usr/local/sbin is not in Mac OS X’s path by default, so add /usr/local/sbin to /etc/paths if you’re going to use it.

Now that the software is installed in consistent locations we can configure it. The squid.conf file only needs one line to be changed; everything else is added. Find the line which says:

http_port 3128

And change it to:

http_port 3128 intercept

Then add the following lines:

maximum_object_size_in_memory 4096 KB
cache_replacement_policy heap LFUDA
cache_dir ufs /usr/local/var/squid/cache 16384 16 256
maximum_object_size 2097152 KB
refresh_pattern -i .ipa$ 360 90% 10800 override-expire ignore-no-cache ignore-no-store ignore-private ignore-reload ignore-must-revalidate
refresh_pattern -i .pkg$ 360 90% 10080 override-expire ignore-no-cache ignore-no-store ignore-private ignore-reload ignore-must-revalidate
acl no_cache_local dstdomain 10.0.2.1
cache deny no_cache_local
redirect_program /usr/local/bin/rewrite.pl

These settings are chosen to cache large files up to 2 gigabytes in size in a 16 gig cache on disk and to ignore cache directives with regards to .pkg and .ipa files. Adjust to your own liking. Of course, replace 10.0.2.1 with the private IP of your machine. The cache deny with that address is used to make sure that redirected Software Update files are not cached in squid which would just take up room which better used for App Store files.

The URL rewriting script (create /usr/local/bin/rewrite.pl) just changes Apple Software Update URLs to point to our server:

#!/usr/bin/env perl
$|=1;
while (<>) {
s@http://swscan.apple.com@http://10.0.2.1/swscan.apple.com@;
s@http://swcdn.apple.com@http://10.0.2.1/swcdn.apple.com@;
s@http://swquery.apple.com@http://10.0.2.1/swquery.apple.com@;
print;
}

Next we configure Apache. The location you choose for the Software Update files can be anywhere (in our example, they’re on a FireWire attached drive mounted at /Volumes/sw_updates/) which needs to be allowed in the Apache configuration.

Add to /usr/local/etc/httpd/httpd.conf:

The log lines are purely optional. If you don’t add them, logs will still be written at /usr/local/var/log/httpd/access_log and error_log.

Next, we configure ipfw (in the case of Mac OS X or FreeBSD) to redirect all port 80 traffic transparently to our squid instance. If you’re using a different device for NAT/routing or different firewalling software such as ipfilter, see the examples listed below.

ipfw add 333 fwd 10.0.2.1,3128 tcp from any to any 80 recv en1

Note that on Snow Leopard and Lion you’ll need to make this change, too:

sysctl -w net.inet.ip.scopedroute=0

ipfilter would look like this for the same ipfw task from above (if you’re using Linux):

rdr en1 0.0.0.0/0 port 80 -> 10.0.2.1 port 3128 tcp

Again, the local private IP is 10.0.2.1 and the local private interface is en1; substitute your IP and interface.

Finally, we need to mirror all Apple Software Updates. A simple shell script can do this. Save this file somewhere (named mirror_swupdate.sh, for instance) and run it from cron now and then, perhaps once a night:

#!/bin/sh

location=$1 # This is the root of our Software Update tree
mkdir -p $1
cd $1

for index in index-leopard-snowleopard.merged-1.sucatalog index-leopard.merged-1.sucatalog index-lion-snowleopard-leopard.merged-1.sucatalog
do
wget --mirror http://swscan.apple.com/content/catalogs/others/$index

for swfile in `cat swscan.apple.com/content/catalogs/others/$index | grep "http://" | awk -F">" '{ print $2 }' | awk -F"<" '{ print $1 }'`
do
echo $swfile
wget --mirror "$swfile"
done
done

Invoke this with the top of the tree of your Software Update files as you’ve used in the Apache config, like so:

./mirror_swupdate.sh /Volumes/sw_updates

Expect this to run for a long time the first time you run this because you’ll be downloading around 60 gigabytes of updates. Every time it runs afterwards, though, files won’t be downloaded again unless they change (which they won’t; new updates will show up as new files).

Start squid and Apache, then tail your Apache log and run Software Update to test:

/usr/local/share/examples/rc.d/apache start
/usr/local/share/examples/rc.d/squid start
tail -f /usr/local/var/log/httpd/swupdate_access_log

At this point, you can redirect your software updates to the host. Updates for both the Mac App Store and iOS are also now cached. In the next article we’ll look at using some squid extensions to enable you to block applications from the App Stores or block updates in the event that an update is problematic.

Lack of font management is a cost center for many organizations. There is a loss of productivity every time a user has to manually add fonts when opening co-workers documents, or the cost of a job going out with the wrong version of a font. Some of the other benefits of fonts servers are separate font sets for different workgroups and isolating corrupt fonts to clean up large font libraries, along with quick searching and identification of fonts.

Font Management and Best Practices

Anyone who uses fonts for daily workflow needs font management. This could be a standalone product such as Suitcase Fusion or Font Agent Pro. But larger environments invariably need to collaborate and share fonts between users, meaning many environments need font servers. Two such products include Extensis Universal Type Server and Font Agent Pro Server. But before adding font management products, users should clean up and any fonts loaded or installed and added prior to moving to a managed font environment. Places to look for fonts when cleaning them up include the following:

• ~/Library/Fonts
• /Library/Fonts
• /System/Library Fonts

Leaving any necessary system, Microsoft Web Core, and required Adobe fonts.

The best resource for this process can be found at Extensis Font Best Practices in OX v.7, which can be found at: http://www.extensis.com/en/downloads/document_download.jsp?docId=5600039

Types of Font Server Products Available

There are two major font server publishers: Extensis and Font Agent Pro. Both have workgroup and enterprise products. All server products from both products work on a client/server model. Both can sync entire font sets or serve fonts on-demand. The break down for the Extensis Universal Type Sever is at 10 clients. Below 10 clients Universal Type Server Lite is a 10 clients product, which lacks Enterprise features, such as the ability to use a SQL database or integrate in Open Directory or Active Directory. The full Universal Type Server Professional adds Directory integration, external database use, and font compliance features and is sold as 10-user license, with an additional per seat license.

Insider Software offers two levels of font servers. The first is FontAgent Pro Team Server designed for small workgroups and sold in a 5 or 10 client configuration. The next level of product is Font Agent Pro Enterprise server. This adds the same directory services integration as Universal Type Server Professional. This product also has Kerberos single sign on, server replication and fail over. It uses the same per-seat pricing structure as Universal Type Server Professional.

A third tool is also available in Monotype Font Explorer, at http://www.fontexplorerx.com, which we will look at later in this article.

Pre-Deployment Strategies and Projects

Before any font server deployment, there are a few things to take into consideration. First is number of clients. This will guide you to which product will be appropriate for installation. Also note if Directory integration and compliance is needed. Is failover or a robust database important. The most important part of any font server installation is the fonts. How may are there, where are they coming from, are separate workgroups needed? Are all your fonts legal? In my experience probably not. Is legal compliance required for you organization or your clients? What is the preferred font type, PostScript Type 1, Open Type? What version are the fonts? Most fonts have been “acquired” over time, with some Postscript fonts dating back to early to mid nineties. As a font server is just a database, the axiom “garbage in, garbage out” is true here as well. This should lead to a pre-deployment font library consolidation and clean up. This can be either be done by 318 or we can train the you to perform this task. If compliance is an issue this is where we would weed out unlicensed fonts. Which to my experience is about 90% of all fonts. A clean, organized font set is the most important part of pre-deployment.

A major part of any font server roll out should be compliance and licensing. This allows for the tracking and reporting of font licenses and to make sure that stays in licensing and compliance.

Extensis

Universal Type Server includes the ability to generate and export reports to help you determine if you are complying with your font licenses. The font compliance feature only allows you to track your licensing compliance and does not restrict access to noncompliant fonts. To help you understand how the font licensing compliance, let’s look at the following typical example of how to use licenses and the font compliance report in your environment.

Say you are starting up your own design shop and need a good group of licensed fonts for your designers to create projects that will bring you fame and fortune. You know that fonts are valuable, and you want to be sure that you have purchased enough licenses for your requirements. So, you purchase a 10­user license of a sizable font library. Using the Universal Type Client, these fonts are added to a Type Server workgroup as a set. A font license is then created and the Number of Seats field is set to 10. This license is then applied to all fonts in the set.

When you run the font compliance report, Universal Type Server compares the number of seats allowed to the total number of unique users who have access to the workgroup. If more users have access than licenses available, the fonts are listed as “non-­compliant.” You can now either remove users from the workgroup or purchase more font licenses to become compliant.

Universal Type Server is unique amongst other products in that it uses a checksum process to catalog fonts. Others just use file names and paths.

Universal Type Server Deployment

Universal Type Server system requirements include the following:

Macintosh Server

•          Mac OS X v 10.5.7, 10.6 Mac OS X Server 10.5 or 10.6•          1.6 GHz or faster 32-bit (x86) or 64-bit (x64) processor (PowerPC is not supported)
•          1 GB available RAM
•          250 MB of hard disk space + space for fonts
•          Safari 3.0 or Firefox 3.0 or higher*
•          Adobe Flash Player 10 or higher*

Windows Server

•          Windows XP SP3 (32-bit only), Server 2003 SP2, Server 2008 SP2 (32 or 64-bit version**)
•          P4 or faster processor***
•          1 GB available RAM
•          250 MB of hard disk space + space for fonts
•          Internet Explorer 7 or Firefox 3.0 or higher*
•          Adobe Flash Player 10 or higher*
•          Adobe Reader 7 to read PDF documentation*
•          Microsoft .NET 3.5 or higher

Universal Type Server Installation Process:

1.         Verify server system requirements
2.         Run the installer on the target server machine
3.         Login to the Server Administration web interface
4.         Serialize the server
5.         Set the Bonjour Name
6.         Resolve any port conflicts
7.         Set any desired server configuration options, including backup schedule, log file configuration, secure connection options, and any other necessary server settings.
8.         After installing the server, configure workgroups, roles and add users.

The basic user and workgroup configuration steps include:

1.   Plan your configuration
2.   Create workgroups
3.   Create new users
4.   Add users to workgroups
5.   Assign workgroup roles to users
6.   Modify user settings as required

Optional Setup:

1. Managing System Fonts with System Font Policy The System Font Policy feature allows Universal Type Server administrators to create a list of system fonts that are allowed in a user’s system font folder.
2. Font Compliance Reporting
   The font compliance feature only allows you to track your licensing
   compliance and does not restrict access to noncompliant fonts.
3. Directory Integration
   Directory integration allows network administrators to automatically
   synchronize users from an LDAP service
   (Active Directory on Windows or Open Directory on Mac OS X) with Universal Type Server workgroups.

* UTS Documentation:

http://tinyurl.com/4xgn9rr

Both Universal Type Server Professional and Font Agent Pro Enterprise can be configured for Open Directory, Active Directory, and LDAP integration. Both also can utilize Kerberos Single User sign on. Universal Type Sever Professional directory integration instructions can be found in the UTS 2 Users and Workgroups Administration Guide at http://tinyurl.com/4xgn9rr. Some users have reported issues connecting to Open Directory (which happens with all products, not just this one).

Universal Type Server runs in Flash for administrative functions, which many do not like.

Monotype Font Explorer

Monotype Font Explorer is a third tool that can be used to manage fonts. Available at http://www.fontexplorerx.com there are some things that some environments do not like about Universal Type Server or Font Agent Pro. Let’s face it, the reason there are multiple products and multiple workflows is that some work for some environments and others work for other environments/workflows better. For example, Font Agent Pro stores master fonts on one client machine, which is then synchronized to the server, and from there to the rest of the clients; not everyone wants a client system acting as a master to the server. Font Explorer keeps the master is on the server, groups and synchronization works well and the administration is in the same window as font management. And best of all, Font Explorer is also typically cheaper than its server-based competitors in the font management space.

Extensis publishes a guide as to which fonts to include in the system and which to handle in the font management software. According to Apple documentation, and fonts in my ~/Library/Fonts folder take precedence to fonts in /Library/Fonts, which again takes precedence to /System/Library/Fonts. That means that if I install Times in my ~/Library/Fonts folder, it will be used instead of the font with the same name in /Library/Fonts or in /System/Library/Fonts. So how is it that I should care which fonts is installed where, as the font management applocation should simple take precedence to the others? If it does not take precedence, then where in the chain is it actually activating fonts? Maybe fonts are handled in these solution in parallel with the system mechanism? Thats the only explanation I can find to that, but is then only valid for UTS, or is it also valid for the other solutions?

End User Training and Font Czar

No font server installation would be complete without end user training and the appointment of a Font Czar. User training can be a fairly easy endeavor if client systems are using the same publishers stand-alone font client. Other times it could entail discussing licensing and compliance concepts along with adding metadata to fonts. An onsite Font Czar (or more than one) is very important to font server installations. The Font Czar cleans up and ingests new fonts, adds new users to font server, and in general be the Font Admin. This is usually a senior designer or technical point of contact for the creative environment.

Conclusion

Font Book is adequate for most users that don’t need a server. Universal Type Server, Font Agent Pro and FontExplorer are all great products if you need a font server. They all are installed centrally and allow end users to administer fonts, based on the server configuration and group memberships. They all work with directory services (some better than others) and can be mass deployed. In big workgroups or enterprises, where only a few people are handling the administration of fonts for a lot of people, a centralized font management solution is a must. But in much smaller organizations, it requires care and feeding, which represents a soft cost that often rivals a cost to purchase the solution.

Finally, test all of the tools available. Each exists for a reason. Find the one that works with the workflow of your environment before purchasing and installing anything.

Note: Thanks to Søren Theilgaard of Humac for some of the FontExplorer text!

By default, Spanning Tree is enabled on all Cisco Switches. In this article we’ll look at disabling Spanning Tree Protocol. But it is important to point out that once disabled, it is important to keep in mind that creating an additional VLAN automatically runs another instance of spanning tree protocol, so you may need to repeat this process in the future.

First backup the device. Then, ssh into the device:

ssh admin@64.32.49.172

You should be prompted for credentials at this time if using telnet. If you are using SSH you should only be prompted for the password. Once connected to the device you will need to go into enable mode by typing en at the command prompt and hit enter:

en

It may prompt you for a password, which you will need to know. Once complete you will notice that the prompt turns from an > to an # symbol. Now that you have administrative access, you will need to go into global configuration mode using the config t command:

config t

Now let’s actually disable spanning tree protocol. Enter in the no verb followed by spanning-tree, the protocol we’re disabling, followed by VLAN, followed by the VLAN identifier:

no spanning-tree VLAN vlan-id

Repeat for each VLAN if you need to do this on multiple. When done, exit config mode by entering the end command:

end

You can then enter the show command along with the spanning-tree option and view to see if there are any remaining spanning tree’s still active and verify if your command took:

show spanning-tree

If the command took and spanning tree is no longer enabled. Run the coppy command, followed by running-config and then startup-config, which copies your running configuration to your startup configuration making your change permanent:

copy running-config startup-config

It is then usually recommended to go ahead and reboot servers and clients prior to testing.

Let us know if you have any questions!

### sends keystrokes to configure APC Powerchute software.

end tell
EOL

The combination of StarDeploy and DeployStudio allows you to image and then patch manage systems in simplistic environments fairly quickly, easily and to do so in a cost effective manner. However, StarDeploy isn’t as object oriented as JAMF’s Casper Suite, FileWave, Symantec’s Altiris or other solutions you may currently be using or reviewing. The solution manages somewhat flat structures. You can create multiple file shares if you have multiple groups, but compared to how Casper or other comparable tools operate, this could get somewhat tedious to manage in complex environments. However, the cost is a donation that you can make and so it is inexpensive.

In our use, StarDeploy has been able to easily push out packages to a large number of systems very quickly. The packages that you build for StarDeploy can then be moved into other solutions if you outgrow StarDeploy. This makes for a nice modular approach where you can grow into a more complex solution or even have StarDeploy work in conjunction with other solutions; for example: allowing StarDeploy to manage lab environments and using a more robust solution for more robust environments.

Overall, StarDeploy makes an excellent addition to the toolkit of anyone with a keen eye on managing large numbers of Mac OS X systems. If you would like to discuss using StarDeploy, JAMF’s Casper Suite, FileWave or other products for patch management, contact your 318 Professional Services Manager or sales@318.com today!

This book is intended for IT staff members that will be charged with planning an iPhone and ipad implementation or pilot program, as well as those that will be charged with ultimately deploying and provisioning the devices and delivering support to iPhone and iPad users. Readers should have an existing background in IT management, systems administration, and end user support working in a medium to large business or enterprise environment.

If you are considering doing a large scale integration or remediation project for iOS-based devices in your environment then contact your 318 Professional Services Manager or sales@318.com for more information on how 318 can assist you in your endeavors.

If you have labs, common in K12 and Higher Education but not so common in the corporate world, you need network home folders on the Mac OS X side, or its sister, portable home directories. On the Windows side, you need folder redirection. But a growing number of education environments are practicing the art of the one-to-one deployment, which strongly resembles what can be seen in the corporate world.

Between the big iron, massive SANs attached to the core switches licensing for DFS heads and the like, it can all get cost prohibitive. But we still do it because we think we need our data replicated. And some of us do. But one thing that we often say is that this data is not a backup. So if it isn’t a backup then how do we back these systems up. And if we do need to back these systems up then why are we also performing a layer of redundant synchronization? Does all of this result in 3 or 4 copies of the data, all in a from that cannot be reduplicated?

The end of the Xserve is nigh, and now for something completely different?

Awhile back, someone told me that you could back an unlimited amount of data up to the cloud for a price that was so cheap that I was stunned. There were a couple of products that I reviewed: CrashPlan and Backblaze. Both are pretty darn awesome. But the bandwidth to back 3,000 users up to someone else’s cloud can become pretty darn cost prohibitive. Enter CrashPlan Pro: you can host that cloud in your own location, or in multiple locations if you have the need to do so, and all on relatively inexpensive hardware, either leveraging the hardware that you already own or even the CrashPlan Pro appliances, rack mountable goodness that scales to store up to 72TB of data per unit, to store data that gets deduplicated before it gets copied to the device over the wire, providing substantial storage savings, not to mention reduced congestion on your wire (or wireless).

And to top it all off, CrashPlan Pro offers extensibility in the form of a REST-based API that allows building that which you may need but which the developers have not yet though (or more likely had time) to build. The API actually makes CrashPlan Pro a possible destination for Final Cut, amongst other things.

Oh, and did we mention the client can run on Mac OS X, Windows, Linux and Solaris?!?!

318 partners with a number of vendors to help you rethink your IT conundrum, leveraging the best advances of today and tomorrow. We are pleased to add CrashPlan as our latest, in a long list of valued partners. Contact your 318 Professional Services Manager, or sales@318.com now for more information.

One nice option that the Casper Suite has for the mobile users in many an enterprise is the ability to restore a given machine to a known good working state. Casper addresses this using a concept known as a restore partition. The restore partition can be used to deploy a base set of packages to a client, or maybe just a functional operating system that hooks back into the JSS, or JAMF Software Server. Because you want the restore partition to be somewhat undefiled, you can hide it. Then, if a user needs to boot to the restore partition, they would simply boot the computer holding down the option key and select Restore (or whatever you have named it).

The /usr/sbin/jamf command can then be used to hide that restore partition using the hideRestore option. For example, assuming that the restore partition is named Restore, the following command will hide it:

/usr/sbin/jamf hideRestore

But, you might find that you want to deploy multiple hidden partitions. So let’s say that you had another for running disk tools. In our environment we could call it 318Tools. So to hide it as well, we would use the same command, but with the -name option followed by the name of the other partition we would like to hide, like so:

/usr/sbin/jamf hideRestore -name 318Tools

Overall, there are a number of uses other than simple patch management with the Casper Suite, and this is just one of the small things you can do with the jamf command, an integral part of the Suite.

http://mergebookmarks.sourceforge.net

Note: The script also looks at existing bookmarks and doesn’t merge in duplicates.

Developed by 318 Inc., ASR Setup Toll is an application for setting up Apple Software Restore (“ASR”). In the context of the ASR Setup Tool, ASR is used for setting up a multicast stream that can then be leveraged for imaging Mac OS X computers.

We hope you enjoy!

Mac OS X 10.6.2 Server is now available. This update represents a great step for environments that have either already made to, or are preparing/planning the upgrade to, Snow Leopard Server. In this update, Apple addresses the following issues (from Apple.com):

• adding and removing imported users in Server Preferences
• synchronizing Portable Home Directory content
• using iCal web interface within select time zones
• previewing and capturing dual-source video in Podcast Capture
• server-side filtering of incoming mail messages
• using chained digital certificates for mail services
• creating images with System Image Utility
• automating installation of NetRestore images
• preventing brute force password attacks
• using sudo command with authenticated Open Directory binding
• binding to Active Directory domains with invalid service records
• creation of mobile accounts for Active Directory users
• correcting a problem that would cause the Software Update cache to grow excessively

As partners of Research in Motion, Microsoft and Apple, 318 would be happy to work with you to formulate a unified strategy for managing, application development and application delivery for your mobile enterprise – no matter the platform.

about: config

This will allow you to customize preferences, whether or not they’re otherwise known, line by line.  These can then be copied between users, by inserting lines into the preferences file.

Like with most applications on Mac OS X, the preferences for Firefox can be deployed en masse.  It is a bit more complicated than deploying preferences for some other applications.  The reason for this is that the path to the preference file isn’t the same for all users.  The file is located in the ~/Library/Application Support/Firefox/Profiles directory.  It is an 8 character string followed by .default.  For example, lzwntwo9.default.  In this folder is a file called prefs.js, which contains all of the preferences for Firefox.  For example, the following line will disable the check for whether you wish Firefox to be the default web browser for a user:

user_pref(“browser.shell.checkDefaultBrowser”, false);

Once you know what preferences you’d like to push out there are two options to do so (there might be more, but these are the two we’ve used):

• The first is to edit items in the Firefox.app bundle.  Most of these can be edited using the /Applications/Firefox.app/Contents/MacOS/defaults/profile/prefs.js file, although the home page will be set using the /Applications/Firefox.app/Contents/MacOS/browserconfig.properties file.  One note is that when you go to customize the prefs.js file it will give you a fairly nasty warning, but then it will push changes out to new accounts; however, don’t make any changes while the application is open.  Additionally, this method requires deleting the existing preferences, so if you simply want to push out updates you’ll need to resort to the second method.
• For the second method, we look at a script that finds the name of the directory located in ~/Library/Application Support/Firefox/Profiles for the user (or all users for computer-based policies) of the system.  We then set that as a variable.  For example, using the output of ls ~/Library/Application\ Support/Firefox/Profiles/ as a variable called FFPREFSFOLDER would then be used to alter the contents of the js file using ls ~/Library/Application\ Support/Firefox/Profiles/$FFPREFSFOLDER/prefs.js as the actual path of the file for a user.

Now you can insert (or replace) the line that makes up the specific preference.  This isn’t nearly as clean as using defaults to push out Safari preferences.  But it does provide a way to push out Firefox preferences, be it as a file drop to replace the preferences in the application bundle or as a line edit to alter settings of an existing users browser.

esxupdate -query

Once you know what updates have already been applied to your system it’s time to go find the updates that still need to be applied. You can download the updates that have not yet been run at http://support.vmware.com/selfsupport/download/. Here you will see a bevy of information about each patch and can determine whether you consider it an important patch to run. At a minimum, all security patches should be run as often as your change control environment allows. Once downloaded make sure you have enough free space to install the software you’ve just downloaded and then you will need to copy the patches to the server (using ssh, scp or whatever tool you prefer to use to copy files to your ESX host). Now extract the patches prior to running them. To do so use the tar command, as follows:

tar xvzf .tgz

Once extracted, cd into the patch directory and then use the esxupdate command with the update flag and then the test flag, as follows:

esxupdate –test update

Provided that the update tests clean, run the update itself with the following command (still with a working directory inside the extracted tarball from a couple of steps ago):

esxupdate update

There are a couple of flags that can be used with esxupdate. Chief amongst them are -noreboot (which doesn’t reboot after a given update), -d, -b and -l (which are used for working with bundles and depots).

If esxupdate fails with an error code these can be cross referenced using the ESX Patch Management Guide.

You can also run patches without copying the updates to the server manually, although this will require you to know the URL of the patch. To do so, first locate the patch number that you would like to run. Then, open outgoing ports on the server as follows:

esxcfg-firewall -allowOutgoing

Next, issue the esxupdate command with the path embedded:

esxupdate –noreboot -r http:// update

Once you’ve looped through all the updates you are looking to run, lock down your ESX firewall again using the following command:

esxcfg-firewall -blockOutgoing

In order to cascade Software Updates from one server to another you would first setup your first Software Update Server. Let’s say that we set it up as SUS1.domain.com and set it to run on port 8080. Next you would setup your second server (let’s call it SUS2.domain.com) and edit the “metaindexURL” key (by default it’s set to be swscan.apple.com) of the file, /etc/swupd/swupd.plist. So you would change the key to be SUS1.domain.com/content/meta/mirror-config-1.plist.

If you’re familiar with Managed Preferences in Tiger then you’re basically already familiar with Managed Preferences in Leopard Server. But there are some great new features that Apple has provided us with by popular demand. These include the following:

Applications
There are now more features to the Applications Managed Preference. You can allow or disallow applications by selecting them individually or a folder. This means that you can allow access to applications located in the /Applications folder but disallow all applications located in the /Applications/Utilities folder. There are also now controls for allowing specific widgets and disabling Front Row.

Finder
There are new options to limit users from doing tasks when in the Finder such as Ejecting a disk, connecting to servers, rebooting and burning disks.

Login
You can now control the list of users that are displayed to a user during login times to show Mobile accounts and network users. You can show/hide the restart button, disable automatic logon, enable Fast User switching, set the local computer record name to the name of the computer on the server, enable guest access, control the inactive time to logout users and configure computer based Access Control Lists.

Mobility
Mobility now allows administrators to set an expiry for a users home folder on the system they are logging into. This allows administrators to keep local desktop systems from getting polluted with hundreds of home folders without using custom scripts to do so. Administrators can also now force accounts on local systems to use FileVault with Mobility accounts to keep data on local systems as secure as possible and set quota’s for user home directories. Finally, it is also now possible to control the path that the user home folder is located on local desktops.

Network
Administrators can now Disable Internet Sharing, Airport and Bluetooth for client computers.

Parental Controls
Hide profanity in the dictionary, control access to web sites, set the amount of time per day that a computer is allowed to be used and set times when login is not allowed in this new Managed Preference.

Printing
Force users to put their user name, date and/or MAC address in a page that is sent with each print job.

System Preferences
Allow or deny access to each System Preference (including the new ones).

The following command will setup a hidden SSH user and restrict SSH access to be allowed by only that user:
jamf createAccount -username casperadmin -realname "Casper Admin" -password capseradmin -home /Users/casperadmin -hiddenUser -admin -secureSSH

This command can be used to display a popup on the system it’s run on that says “Hello Minnesota”:
jamf displayMessage -message "Hello Minnesota"

The following command will unmount a mounted server called mainserver:
jamf unmountServer -mountPoint /Volumes/mainserver

The following command can be used to change a users home page in all of their web browsers:
jamf setHomePage -homepage www.318.com

The following command can be used to fire up the SSH daemon:
jamf startSSH

The following command can be used to fix the By Host files on the local machine:
jamf fixByHostFiles -target 127.0.0.1

The following command can be used to run a Fix Permissions on the local machine:
jamf fixPermissions /

The following can be used to flush all of the caches on your local system:
jamf flushCaches -flushSystem

The following can be used to bless the drive externaldrive:
jamf bless -target /Volumes/externaldrive

The following can be used to run a software update on the local system:
jamf runSoftwareUpdate

The following can be used to bind to an AD environment (rather than dsconfigad if for some reason you just didn’t like using dsconfigad), but would need all the parameters for your environment put in as flags:
jamf bindAD

The following can be used to enable OpenFirmware passwords on your computer to secretpass:
jamf setOFP -mode full -password secretpass

Most of these options are available inside the Casper suite, but the ability to do some simple tasks very quickly from the terminal is yet another reason to fall in love with Casper.